'\" t
.\"___INFO__MARK_BEGIN__
.\"
.\" Copyright: 2004 by Sun Microsystems, Inc.
.\"
.\"___INFO__MARK_END__
.\" $RCSfile: sge_ca.8,v $     Last Update: $Date: 2008/07/19 17:12:58 $     Revision: $Revision: 1.3 $
.\"
.\"
.\" Some handy macro definitions [from Tom Christensen's man(1) manual page].
.\"
.de SB		\" small and bold
.if !"\\$1"" \\s-2\\fB\&\\$1\\s0\\fR\\$2 \\$3 \\$4 \\$5
..
.\"
.de T		\" switch to typewriter font
.ft CW		\" probably want CW if you don't have TA font
..
.\"
.de TY		\" put $1 in typewriter font
.if t .T
.if n ``\c
\\$1\c
.if t .ft P
.if n \&''\c
\\$2
..
.\"
.de M		\" man page reference
\\fI\\$1\\fR\\|(\\$2)\\$3
..
.TH SGE_CA 8 "$Date: 2008/07/19 17:12:58 $" "xxRELxx" "xxQS_NAMExx Administrative Commands"
.SH NAME
util/sgeCA/sge_ca \- xxQS_NAMExx CSP Support control command
.\"
.\"
.SH SYNTAX
.B sge_ca command [command options]
.\"
.\"
.SH DESCRIPTION
.I "\fBsge_ca\fP" 
controls a simple xxQS_NAMExx Certificate Authority that is used for the special Certificate Security Protocol (CSP) mode.
CSP mode improves the security behavior of xxQS_NAMExx by enabling OpenSSL secured communication channels and X509v3 certificates for authentication. In addition it is possible to export the key material or to create JKS keystores for the JMX connector.
It follows a list of possible commands and command options to give an overview which functionality is available. For further details about every command refer to the COMMAND DETAILS section.
.SH COMMAND OVERVIEW
.IP "\fBsge_ca [-help]\fP"
show usage
.IP "\fBsge_ca -init [command options]\fP"
create the infrastructure for a new xxQS_NAMExx Certificate Authority with its corresponding files and directories and a set of keys and certificates for SGE daemon, root and admin user.
.IP "\fBsge_ca -req | -verify <cert> | -sign | -copy [command options]\fP"
manipulate individual keys and certificates
.IP "\fBsge_ca -print <cert> | -printkey <key> | -printcrl <crl>\fP"
print out certificates, keys and certificate revocation lists in human readable form. 
.IP "\fBsge_ca -showCaTop | -showCaLocalTop [command options]\fP"
echo the $CATOP or $CALOCALTOP directory. This command is usually run as root on the qmaster host after a CA infrastructure has been created. If "\fB-cadir\fP" or "\fB-catop\fP" or "\fB-calocaltop\fP" are set the corresponding directories are printed.
.IP "\fBsge_ca -usercert <user file> | -user <u:g:e> | -sdm_daemon <u:g:e> [command options]\fP" 
are used for creation of certificates and keys for a bunch of users contained in <user file>, a single user or SDM daemon <u:g:e>. (see
.M hedeby_introduction 1
)
.IP "\fBsge_ca -pkcs12 <user> | -sdm_pkcs12 <g> | -sys_pkcs12 [command options]\fP"
are used to export the certificate and key for user <user> or SDM daemon <g> in PKCS12 format and to export the SGE daemon certificate and key in PKCS12 format.
.IP "\fBsge_ca -userks | -ks <user> | -sysks [command options]\fP"
are used for creation of keystore for all users with a certificate and key, the keystore for a single user <user> and the keystore containing the SGE daemon certificate and key.
.IP "\fBsge_ca -renew <user> | -renew_ca | -renew_sys | -renew_sdm <g> [command options]\fP" 
are used to renew the corresponding certificates for user <user>, for the CA, for the SGE daemon certificate and for the SDM daemon <g> certificate.
.PP
where "\fB[command options]\fP" is a combination of the following options depending on the command. The COMMAND DETAILS section explains which options are usable for each command.
.IP "\fB\-days <days>\fP"
days of validity of the certificate
.IP "\fB\-sha1\fP"
use SHA-1 instead of MD5 as message digest
.IP "\fB\-encryptkey\fP"
use DES to encrypt the generated private key with a passphrase. The passphrase is requested when a key is created or used.
.IP "\fB\-outdir <dir>\fP"
write to directory <dir>
.IP "\fB\-cahost <host>\fP"
define CA hostname (CA master host)
.IP "\fB\-cadir <dir>\fP"
define $CALOCALTOP and $CATOP settings
.IP "\fB\-calocaltop <dir>\fP"
define $CALOCALTOP setting
.IP "\fB\-catop <dir>\fP"
define $CATOP setting
.IP "\fB\-kspwf <file>\fP"
define a keystore password file that contains a password that is used to encrypt the keystore and the keys contained therein
.IP "\fB\-ksout <file>\fP"
define output file to write the keystore to
.IP "\fB\-pkcs12pwf <file>\fP" 
define a PKCS12 password file that contains a password that is used to encrypt the PKCS12 export file and the keys contained therein
.IP "\fB\-pkcs12dir <dir>\fP"
define the output directory <dir> to write the exported PKCS12 format file to. Otherwise the current working directory is used.
.\"
.\"
.br
.\"
.\"
.SH COMMAND DETAILS
.\"
.IP "\fBsge_ca -init [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>] [-days <num days>]\fP"
.br
The \fB-init\fP command creates a new xxQS_NAMExx certificate authority and its corresponding files. Usually "\fBsge_ca -init\fP" is run by user root on the master host.
If the options -adminuser, -cadir, -calocaltop, -catop and the xxQS_NAMExx environment variables SGE_ROOT, SGE_CELL and SGE_QMASTER_PORT are set the CA directories are created in the following locations:
.br $SGE_ROOT/$SGE_CELL/common/sgeCA  (can be overruled by -catop <dir> or -cadir <dir>)
.br /var/sgeCA/{port$SGE_QMASTER_PORT|sge_qmaster}/$SGE_CELL  (can be overruled by -calocaltop <dir> or -cadir <dir>)
.br The following information must be delivered for the site:
two letter country code, state, location, e.g city or your building-code, organization (e.g. your company name), organizational unit, e.g. your department, email address of the CA administrator (you!)

Certificates and keys are generated for the CA itself, for SGE daemon, for xxQS_NAMExx install user (usually root) and finally for the xxQS_NAMExx admin user. 

How and where the certificates and keys are created can be influenced additionally by:
.br
.I "\fB\-days <days>\fP"
change the time of validity of the certificates to number of <days> instead of 365 days
.br
.I "\fB\-sha1\fP"
change the message digest algorithm from MD5 to SHA-1
.br
.I "\fB\-encryptkey\fP"
encrypt the generated keys with a passphrase
.br
.I "\fB\-adminuser <user>\fP"
use <user> as admin user
.br
.I "\fB\-cahost <host>\fP"
use <host> as the CA master host
.br
.I "\fB[-cadir <dir>] [-catop <dir> [-calocaltop <dir>]\fP"
set $CATOP and $CALOCALTOP to <dir> to use something different than the xxQS_NAMExx default directories. Either -cadir <dir> has to be specified to replace $CATOP and $CALOCALTOP by the same directory or -catop <dir> for $CATOP and -calocaltop <dir> for $CALOCALTOP.
.\"
.br
.br
.IP "\fBsge_ca -user <u:g:e> [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>] [-days <days>]\fP"
generate certificate and keys for <u:g:e> with u='Unix user account name', g='common name' and e='email address'. By default the certificate is valid for 365 days or by <days> specified with -days <days>.
This command is usually run as user root on the qmaster host. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
.\"
.IP "\fBsge_ca -sdm_daemon <u:g:e>\fP"
generate daemon certificate and keys for <u:g:e> with u='Unix user account name', g='common name' and e='email address'. By default the certificate is valid for 365 days or by <days> specified with "\fB\-days <days>\fP". This command is usually run as user root on the qmaster host.
.\"
.IP "\fBsge_ca -usercert <user file> [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>] [-days <days>] [-encryptkey] [-sha1]\fP"
Usually sge_ca -usercert <user file> is run as user root on the master host. The argument <user file> contains a list of users in the following format:

.RS 0
         eddy:Eddy Smith:eddy@griders.org
.RS 0
         sarah:Sarah Miller:sarah@griders.org
.RS 0
         leo:Leo Lion:leo@griders.org
.IP
where the fields separated by colon are:
.RS 0
         Unix user:Gecos field:email address
.\"
.br
.br
.IP "\fBsge_ca -renew <user> [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>] [-days <days>]\fP"
Renew the certificate for <user>. By default the certificate is extended for 365 days or by <days> specified
with -days <days>. If the value is negative the certificate becomes invalid.
This command is usually run as user root on the qmaster host. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
.\"
.IP "\fBsge_ca -renew_ca [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>] [-days <days>]\fP"
Renew the CA certificate. By default the certificate is extended for 365 days or by <days> specified
with -days <days>. If the value is negative the certificate becomes invalid.
This command is usually run as user root on the qmaster host. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
.\"
.IP "\fBsge_ca -renew_sys [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>] [-days <days>]\fP"
Renew the SGE daemon certificate. By default the certificate is extended for 365 days or by <days> specified
with -days <days>. If the value is negative the certificate becomes invalid.
This command is usually run as user root on the qmaster host. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
.\"
.IP "\fBsge_ca -renew_sdm <g> [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>] [-days <days>]\fP"
Renew the SDM daemon certificate of <g>, where <g> is the common name of the daemon. By default the certificate is extended for 365 days or by <days> specified with -days <days>. If the value is negative the certificate becomes invalid.
This command is usually run as user root on the qmaster host. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
.\"
.br
.br
.IP "\fBsge_ca -pkcs12 <user> [-pkcs12pwf <file>] [-pkcs12dir <dir>] [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>]\fP"
export certificate and key of user <user> 'the Unix user name' in PKCS12 format. This command is usually run as user root on the qmaster host. If -pkcs12pwf <file> is used the file and the corresponding key will be encrypted with the password in <file>. If -pkcs12dir <dir> is used the output file is written into <dir>/<user>.p12 instead of ./<user>.p12 . $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
.\"
.IP "\fBsge_ca -sys_pkcs12 [-pkcs12pwf <file>] [-pkcs12dir <dir>] [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>]\fP"
export certificate and key of SGE daemon in PKCS12 format. This command is usually run as user root on the qmaster host. If -pkcs12pwf <file> is used the file and the corresponding key will be encrypted with the password in <file>. If -pkcs12dir <dir> is used the output file is written into <dir>/<user>.p12 instead of ./<user>.p12 . $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
.\"
.IP "\fBsge_ca -sdm_pkcs12 <g> [-pkcs12pwf <file>] [-pkcs12dir <dir>] [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>]\fP"
export certificate and key of daemon <g> g='common name' in PKCS12 format. This command is usually run as user root on the qmaster host. If -pkcs12pwf <file> is used the file and the corresponding key will be encrypted with the password in <file>. If -pkcs12dir <dir> is used the output file is written into <dir>/<g>.p12 instead of ./<g>.p12 . $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
.\"
.br
.br
.IP "\fBsge_ca -ks <user> [-ksout <file>] [-kspwf <file>] [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>]\fP"
create a keystore containing certificate and key of user <user> in JKS format where <user> is the Unix user name. This command is usually run as user root on the qmaster host. If -kspwf <file> is used the keystore and the corresponding key will be encrypted with the password in <file>. The -ksout <file> option specifies the keystore file that is created. If the -ksout <file> option is missing the default location for the keystore is $CALOCALTOP/userkeys/<user>/keystore. This command is usually invoked by sge_ca -userks. A prerequisite is a valid JAVA_HOME environment variable setting. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
.\"
.IP "\fBsge_ca -userks [-kspwf <file>] [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>]\fP"
generate a keystore in JKS format for all users having a key and certificate.
This command is usually run as user root on the qmaster host.
If -kspwf <file> is used the keystore and the corresponding key will be encrypted with the password in <file>.
The keystore files are created in $CALOCALTOP/userkeys/<user>/keystore. This command is run after user certificates and keys have been created with sge_ca -usercert <userfile> or if any of the certificates have been renewed. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
.\"
.IP "\fBsge_ca -sysks [-kspwf <file>] [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>]\fP"
generate a keystore containing the SGE daemon certificate and key in JKS format.
This command is usually run as user root on the qmaster host.
If -kspwf <file> is used the keystore and the corresponding key will be encrypted with the password in <file>.
The keystore file is created in $CALOCALTOP/private/keystore. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
.\"
.br
.br
.IP "\fBsge_ca -print <cert>\fP"
Print a certificate where <cert> is the corresponding certificate in pem format. 
.\"
.IP "\fBsge_ca -printkey <key>\fP"
Print a key where <key> is the corresponding key in pem format. 
.\"
.IP "\fBsge_ca -printcrl <crl>\fP"
Print a certificate revocation list where <crl> is the corresponding certificate revocation list in pem format. 
.\"
.IP "\fBsge_ca -printcrl <crl>\fP"
Print a certificate revocation list where <crl> is the corresponding certificate revocation list in pem format. 
.\"
.br
.br
.IP "\fBsge_ca -req [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>] [-days <days>] [-encryptkey] [-sha1] [-outdir <dir>]\fP"
create a private key and a certificate request for the calling user. This are created as newkey.pem and newreq.pem in the current working directory.
If the option -outdir <dir> is specified in addition the files are created in <dir>.
.\"
.IP "\fBsge_ca -sign [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>] [-days <days>] [-encryptkey] [-sha1] [-outdir <dir>\fP"
Sign a certificate request. The CA certificate under $CATOP (default: $SGE_ROOT/$SGE_CELL/common/sgeCA) and CA key from 
$CALOCALTOP (default: /var/sgaCA/{port$SGE_QMASTER_PORT|sge_qmaster}/$SGE_CELL) are used for the signature.
If $CATOP and $CALOCALTOP are set to a different directory the information there is used. The certificate is created as newcert.pem in the current working directory or
in <dir> if the option -outdir <dir> has been specified. In addition the option "\fB\-days <number of days>\fP" can be specified to change the default validity from 365 to
number of days.
.\"
.IP "\fBsge_ca -verify <cert> [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>]\fP"
Verify a certificates validity where <cert> is the corresponding certificate in pem format. $CATOP and $CALOCALTOP can be overruled by -cadir, -catop and -calocaltop.
.\"
.IP "\fBsge_ca -copy [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>]\fP"
sge_ca \-copy is run by a user to copy the users certificate and key on the master host to $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/certs/cert.pem and the corresponding private key in $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/private/key.pem which are used instead of the files in $CATOP and $CALOCALTOP. The command is only recommended for testing purposes or where $HOME is on a secure shared file system. 
.\" 
.br
.br
.SH EXAMPLES
.IP "# sge_ca -init -cadir /tmp -sha1 -encryptkey -days 31"
create a CA infrastructure in /tmp with a certificate validity of 31 days using SHA-1 instead of MD5 as message digest.The keys are encrypted and a passphrase has to be entered during the creation of the different keys or during signing a certificate with the created CA key.
.IP "# sge_ca -usercert /tmp/myusers.txt -cadir /tmp"
/tmp/myusers.txt contains user1:My User:user1@myorg.org and user1 is a valid Unix user account. Create a key and certificate for user1.
.IP "# sge_ca -userks -cadir /tmp"
create a keystore for all users of the simple CA. The keystore is stored under /tmp/userkeys/<user>/keystore.
.IP "# sge_ca -renew root -cadir /tmp -days -1"
make the root certificate temporarily invalid.
.IP "# sge_ca -renew_ca -days 365 -cadir /tmp"
renew the CA certificate for 365 days
.SH "ENVIRONMENTAL VARIABLES"
.\" 
.IP "\fBSGE_ROOT\fP" 1.5i
Specifies the location of the xxQS_NAMExx standard configuration
files.
.\"
.IP "\fBSGE_CELL\fP" 1.5i
If set, specifies the default xxQS_NAMExx cell.
.\"
.\"
.SH RESTRICTIONS
.I sge_ca
The command must be usually called with xxQS_NAMExx root permissions on the master host.
For more details on the permission requirements consult the detailed description for the different commands above.
.\"
.\"
.SH FILES
\fBsge_ca\fP creates a file tree starting in \fB$CATOP\fP and \fB$CALOCALTOP\fP. The default for \fB$CATOP\fP is usually $SGE_ROOT/$SGE_CELL/common/sgeCA and for \fB$CALOCALTOP\fP /var/sgeCA/{port$SGE_QMASTER_PORT|sge_qmaster}/$SGE_CELL where the subpaths beginning with $ expands to the content of the corresponding environment variable.

In addition there may optionally exist the user certificate in $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/certs/cert.pem and the corresponding private key in $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/private/key.pem which are used instead of the files in $CATOP and $CALOCALTOP. (see sge_ca -copy above) 
.\"
.\"
.SH "SEE ALSO"
.M xxqs_name_sxx_qmaster 8 .
.\"
.SH "COPYRIGHT"
See
.M xxqs_name_sxx_intro 1
for a full statement of rights and permissions.
